Best Practices for Integrated Cybersecurity
The U.S. Office of Management and Budget released a report this spring showing the abysmal state of cybersecurity in the federal government. Three-quarters of the agencies assessed were found to be “at risk” or “at high risk,” highlighting the need for a cyber overhaul. The report also noted that many agencies lacked “standardized cybersecurity processes and IT capabilities,” which affected their ability to “gain visibility and effectively combat threats.”
While governments and businesses recognize the need for an effective strategy to protect data through encryption, not all have implemented truly integrated product solutions. That’s because the definition of integrated often varies. Some products possess basic key and policy management, but they lack the added protection of a hardware security module (HSM), and others may be designed only to shield specific platforms. Integration also could mean a bundle of devices from multiple vendors, each with its own contacts and responsibilities for disparate products, should problems arise.
Instead of confusion, integration should bring strength and cohesiveness, especially in the context of government and defense systems that need a reliable solution for their sensitive data and communications.
Here are a few best practices and trends to keep in mind when looking for a truly integrated, secure data protection solution:
Centralized (and Powerful) Key and Policy Management Is a Must
As data is processed and encrypted, the keys to decrypt that data need to be managed and stored. In fact, solving the key and policy management challenge may well be the hardest part of an encryption deployment. Considering the range of new and legacy systems governments have in place, it’s important to find a key and policy management tool that can work across your full infrastructure without the need for added expenditure. Indeed, government and defense agencies often need to store and manage keys for a wide range of devices, and implementing a solution that works across a whole organization can be difficult. In this case, compatibility is key.
One way to ensure no disruptions when managing keys is to look for solutions that have adopted the OASIS Key Management Interoperability Protocol (KMIP), a standard governing compatibility between key management platforms of several different vendors. KMIP and similar protocols allow for the interoperable exchange of data between different key management servers and clients. Managed on one platform, protocols like this help to vastly simplify key management and facilitate data encryption.
True Random Numbers Matter
Generating strong cryptographic keys using true random numbers helps ensure that the encryption performs at optimal strength. But many solutions are still relying on deterministic algorithms to create the random numbers, potentially exposing data.
Instead, look for a random number generator that derives its numbers from a truly random source, not an algorithm. For example, generators that derive their numbers from a quantum source can produce numbers that are truly unpredictable and therefore enable the encryption to perform as expected.
Built-in HSM Is Best
An HSM is a physical device that manages and stores digital authentication keys. An HSM may come equipped with tamper resistance as well as cryptographic capabilities, all providing the necessary checks and balances to ensure that data encryption keys are kept secure. Put plainly, HSMs should be an integral part of any cybersecurity strategy.
When searching for a solution, it is worth ensuring that your key management capability integrates with the HSM. Some key managers offer data protection with the use of an HSM; set it up as a separate rackmount device rather than an embedded module. In addition to the integration headaches, a security setup that links several devices through networking cables can present its own issues and opportunities for a breach. A weak link in the network chain could negatively affect performance and nullify any security efforts.
Ensuring that a cybersecurity solution comes equipped with a built-in HSM can drastically simplify the implementation and expenditure of security deployments.
Keep Setup Simple
Installing new security systems isn’t trivial. It often requires multiple steps and months of planning to ensure a smooth setup and maintenance. With that in mind, here are a few benefits of finding a solution with minimal installation effort and lower costs.
· Combined key management and HSM: There’s no need to separately load key management software onto a hardware appliance or to install and manage internal or external HSMs.
· Integrated high-speed true random number generator: There's no need to plug in an RNG or other external entropy source if there’s already one integrated.
· Key replication: Managing replication of keys between devices to protect from failure or attacks can be complex. It is worthwhile looking for an integrated solution that can securely do that for you, ensuring that you won’t need to procure, install, configure and manage a range of individual components.
· When things go wrong: For any maintenance or support needs, you will be much better off with the single point of contact obtained by a truly integrated solution rather than juggling support conversations with different parties.
Peace of Mind Only Comes From True Integration
Often, companies and governments with several disparate security systems lack the necessary visibility into how secure they truly are, leaving them to clean up the mess of a breach or to play defense all the time. However, working with an integrated solution not only offers visibility into the entire system but also better equips you to proactively ensure that systems are secure and encrypted ahead of time, leaving less room for chance and opportunities for attacks. With a cohesive, truly secure security strategy comes peace of mind.
After all, cyber attacks aren’t going away anytime soon, and their level of sophistication is only going to grow. An integrated cybersecurity solution will give government and defense sectors the best chance at fending off a threat and keeping citizens protected.
Jane Melia is a vice president at QuintessenceLabs.
